G00217298 Gartner's View on 'Bring Your Own' in Client Computing Published: 20 October 2011 Analyst(s): Leif-Olof Wallin Here, we bring together recently published research covering the hot topic of supporting "bring your own device" in organizations. Analysis A great influx in client inquiries indicates that IT leaders are under pressure in their respective organizations to support bring your own device (BYOD) plans. These plans need to carefully balance the needs and desires of end users with the requirements of the organization to manage risk and control cost. In short, it's about trying to balance four conflicting goals: social (keep employees happy), business (keep processes running effectively), financial (manage costs) and risk management (stop bad things from happening). The BYOD plan needs, at minimum, to cover the following aspects: Development of a BYOD contract or policy Eligibility Device selection Ownership, use, reimbursement and notification if lost Access to corporate resources/applications Security and privacy obligations for personal and business data Tools Many organizations will find that this might already have happened, and a first step could then be to survey the current state. Often, "bring your own" starts on the executive floor, which might make it very difficult to control. "CIO Attitudes Toward Consumerization of Mobile Devices and Applications" provides insight into what CIOs will expect during the next few years. Manifesting the BYOD Plan in a Contract At the heart of most BYOD plans is the assumption that users are willing to give up some level of control over their personal devices in exchange for access to corporate resources, such as networking and email. The extent to which users and companies may agree on the compromise will
vary. It's a prudent approach to have the end user sign a contract with the employer to this effect, because that is much more visible to the end user than just accepting a click-through agreement upon entering the BYOD program. It's important to ensure that end users fully understand that: They are solely responsible for backing up their personal content on the device. They can't complain or sue if their device gets wiped for cause or by mistake (subject to local laws; check with your organization's legal department). They must be aware of any limitations in the use of their device as a result of organizational policies being installed on the device, the installation of any software on the device, and that the device may be monitored and how any such information (such as location) will be treated. They must accept that limitations placed on their device could affect user experience, and may include the filtering of business data. They might be required to hand over their device upon request if necessary for e-discovery (subject to local laws; check with your legal department). We suggest that BYOD contracts be reviewed with the legal and HR departments of your organization in each country where the policy will be implemented. Eligibility One key component of a well-designed BYOD plan is to identify who is eligible to be in the plan. This is usually accomplished by doing a risk assessment of the position of the employee in the organization. For some positions, the impact of the device not performing may be considered too much of a financial risk to be eligible for the BYOD plan; for other positions, the information that the employee may have access to could be so sensitive that it prevents him or her from being eligible. From a user segmentation perspective, this effectively adds risk as a fourth vector to the existing three: business requirements, work style and location when segmenting user groups. In addition to risk assessment, line manager approval is usually also required. Device Selection Another important part of the plan is to establish what kind of devices can be used for different tasks. A successful BYOD plan doesn't necessarily have to support any or all types of devices. See "Use Managed Diversity to Support the Growing Variety of Endpoint Devices" for more details on a framework to establish what can be supported and how service levels can be differentiated. Device Ownership, How a Device Can Be Used and What It Can Be Used for, Potential Reimbursements, and What to Do If a Device Is Lost or Compromised A BYOD plan is rarely about cost savings. Because the capital expense (capex) of the device is usually around 20% of its total cost of ownership (TCO), this potential small savings is often offset by other expenses, as outlined in "The Cost of Connecting Apple's ipad and Other User-Owned Mobile Devices to the Corporate Network." "The Impact of BYOC on Management and Support" discusses the same aspects for computers. In many organizations, BYOD is really more about Page 2 of 5 Gartner, Inc. G00217298
empowering individuals and being an attractive place to work. The most common device to fuel demand for BYOD today is the Apple ipad. A successful BYOD plan needs to address all the different aspects of paying for and taking care of the device under the plan. These aspects include, but are not limited to: Who pays for the initial purchase of the device. This is usually the end user. Sometimes, organizations look into potentially providing a stipend to incentivizing end users to bring their own devices to work. The stipend model increasingly opens up organizations to tax liabilities, as more tax authorities are treating a stipend as salary. What happens if a personal device is lost, stolen or damaged when conducting business. Just like the stipend model, this could have implications from a tax perspective; however, probably the most important aspect is to set appropriate expectations with the employee regarding what will happen in this situation. The employee needs to immediately report when a device used under the BYOD plan is lost or believed to be otherwise compromised, just as if it were a corporate device, to allow the device to be wiped of any organizational data and to prevent continued access to any organizational resources. What kinds of applications, services and accessories used with the device may be reimbursable by the organization. Most organizations tend to pay for mobile data and voice services when the user is eligible. A process for how the end user can replace a device or add another device to the plan. Setting expectations for what kind of and how much support the end user can get from the organization. "Best Practices for Supporting 'Bring Your Own' Mobile Devices" outlines a number of strategies to manage the support resources consumed by BYOD. What kind of applications and services may be used on the device when it is in the plan. The growing use of cloud-based services for information transfer between PCs, Macs and mobile devices (such as Dropbox, Box.net, Evernote, etc.) is usually a concern from a security perspective. If the employee is using a BYOD as a primary device, instead of using a corporate-issued device, then there may need to be some language in the plan/contract around the obligation of the end user to keep the device operative. How to Access and Develop Corporate Applications From Personal Devices There are several possible architectures and strategies to provide access to corporate applications from personal devices. Great care needs to be exercised to ensure that there is no unnecessary exposure from a licensing perspective. "How Will Users Access the PC Apps They Need on Their Alternative Devices?" goes through the options, and their respective pros and cons. Gartner's CIO survey (see "CIO Attitudes Toward Consumerization of Mobile Devices and Applications") indicates that many organizations are moving to thinner architectures. For building mobile applications for Gartner, Inc. G00217298 Page 3 of 5
personal devices, there are unique challenges brought on by the fragmentation and changes in the smartphone and tablet markets. We outline strategies and tactics to deal with this in "Guide for Mobile Application Development, Sourcing and Support, 2011." Tools to Support BYOD Many organizations elect to implement a mobile device management (MDM) product to facilitate enrolling devices into the plan, to ensure that policy settings are pushed onto the device, to provide compliance reporting, to monitor usage/policy compliance, and to put configuration parameters onto the device for access to networks and email. The MDM market is described in "Magic Quadrant for Mobile Device Management" and "Critical Capabilities for Mobile Device Management."What to think about when going through an RFI/RFP for MDM products is described in "Toolkit: Mobile Device Management RFI and RFP Template."The future of this market and its convergence with PC life cycle management (PCLM) products is described in "Mobile Device and PC Configuration Life Cycle Management Tools, Market Update." The policies to configure for MDM are discussed in "Seven Steps to Planning and Developing a Superior Mobile Device Policy." Some clients also find the use of remote support tools (from companies such as LogMeIn and Rsupport) to be helpful for these devices. Recommended Reading Some documents may not be available as part of your current Gartner subscription. "How Will Users Access the PC Apps They Need on Their Alternative Devices?" "The Cost of Connecting Apple's ipad and Other User-Owned Mobile Devices to the Corporate Network" "Seven Steps to Planning and Developing a Superior Mobile Device Policy" "Mobile Device and PC Configuration Life Cycle Management Tools, Market Update" "Use Managed Diversity to Support the growing Variety of Endpoint Devices" "Best Practices for Supporting 'Bring Your Own' Mobile Devices" "Magic Quadrant for Mobile Device Management" "Toolkit: Mobile Device Management RFI and RFP Template" "Critical Capabilities for Mobile Device Management" "CIO Attitudes Toward Consumerization of Mobile Devices and Applications" "Guide for Mobile Application Development, Sourcing and Support, 2011" "The Impact of BYOC on Management and Support" Page 4 of 5 Gartner, Inc. G00217298
Regional Headquarters Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Japan Headquarters Gartner Japan Ltd. Atago Green Hills MORI Tower 5F 2-5-1 Atago, Minato-ku Tokyo 105-6205 JAPAN + 81 3 6430 1800 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9 andar World Trade Center 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/ ombudsman/omb_guide2.jsp. Gartner, Inc. G00217298 Page 5 of 5